But that said the situation in Bookworm might not be optimal for kerberized NFS setups. Regards, Salvatore
We tried to do a upgrade to Trixie just to see how the situation was looking there, and at least for now the problem persist:
root@basic-nas:~# uname -a Linux basic-nas.lab.skyfritt.net 6.12.17-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.17-1 (2025-03-01) x86_64 GNU/Linux root@basic-nas:~# cat /boot/config-6.12.17-amd64 | grep AES_SHA2 # CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2 is not set root@basic-nas:~#
Log file from Trixie when we enforce the encryption schemas in question from the clients:
Mar 18 09:43:42 basic-nas.lab.skyfritt.net rpc.svcgssd[1833]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type aes256-cts-hmac-sha384-192 not permitted
Mar 18 09:44:53 basic-nas.lab.skyfritt.net rpc.svcgssd[1833]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Encryption type aes128-cts-hmac-sha256-128 not permitted
I hope you will consider include RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2 in future main kernel releases, or if possible include it as a module.
-- Best Regards, Jostein Fossheim